Multiple tests are skipped from Maester report #611
Comments
|
AAD.4.1 is skipped if you don't have Azure connected as that is required to validate Diagnostic Settings. 7.1/2 require an additional privilege. Were you using the |
|
Hi soulemike, As per above shared link Before running "connect-maester -privilege" we need to assign "RoleEligibilitySchedule.ReadWrite.Directory" with ReadWrite directory permission. I am not sure why "Write" permissions is required before running this test, Directory Read should be enough. Can you pls advice why below some tests are not Running? MT.1033: User should be blocked from using legacy authentication () NotRun |
|
One more Question: After creating SPN and granting required permissions we connected to spn with client id and tenant id. After that we run "Invoke-Maester" and report generated successfully. BUT if we run command "Connect-Maester -Privileged" its required "Need admin approval". Role assigned to user which running this test is "Global Reader" with needed permissions. any idea why we need "Admin Conent approval when running "Connect-Maester -Privileged" and Admin consent not required when running "Invoke-Maester"? **Screenshot attached for reference. ** PS C:\Windows\System32\maester-tests> Connect-MgGraph -ClientId xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -TenantId xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
As of last discussion, it was an intentional requirement from the product team. #195 (comment)
For this I would suggest running interactively in the console scoped to only that tests tag with verbose logging to see if you can get more details. You can also test by just running that specific tests corresponding module cmdlet.
Since you are connecting with a SPN, the user's assigned roles don't matter, the SPN's assigned permissions are what matter. So you would need to add that permission to the SPN and flag it as admin consent on the assignment. |
|
Since you are connecting with a SPN, the user's assigned roles don't matter, the SPN's assigned permissions are what matter. So you would need to add that permission to the SPN and flag it as admin consent on the assignment.
As per above screenshot we have assigned required permissions with Admin consent. is it enough? |
|
The |
|
|
|
Correct, Application would be what you want the permissions to be for the SPN to interface with those permissions, delegated is if you want the SPN to be interactive for different users who can delegate their credentials for the SPN to interface with those permissions. |
|
Thanks, soulemike, let me assign permissions and try to re-run test. |
|
Were your results better using Application permissions? |
Hi Soulemike, After adding all permissions when i am trying to connect "connect-maester -privilege' command on authentication page asking for "Need Admin Approval" I don't know after adding all needed permissions on SPN why i need "Admin approval". My current assigned role is "Global Reader". I know after assign "Global Admin" may be this "Admin Approval" not required but i want to run without assigning "Global Admin" role.
|
With same permissions other tests are passed in same category but some are skipping. Don't know why these tests are getting failed without proper reasoning.
Please help and advice specially for below 3 tests.
MS.AAD.4.1: Security logs SHALL be sent to the agency's security operations center for monitoring. (Skipped)
MS.AAD.7.1: A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. (Skipped)
MS.AAD.7.2: Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator. (Skipped)
The text was updated successfully, but these errors were encountered: